System and Method of Secure Garbage Collection on a Mobile Device

ABSTRACT

A method and system for performing garbage collection involving sensitive information on a mobile device. Secure information is received at a mobile device over a wireless network. The sensitive information is extracted from the secure information. A software program operating on the mobile device uses an object to access the sensitive information. Secure garbage collection is performed upon the object after the object becomes unreachable.

RELATED CASE

This application is a continuation of U.S. patent application Ser. No.10/508,187 entitled “System and Method of Secure Garbage Collection on aMobile Device” filed on Sep. 17, 2004. The entire disclosure of which isincorporated herein by reference. This application claims the benefit ofand priority to U.S. Provisional Patent Application Ser. No. 60/365,515,filed Mar. 20, 2002, the entire disclosure of which is incorporatedherein by reference.

BACKGROUND

1. Technical Field

This invention relates generally to mobile devices and more particularlyto secure memory techniques on a mobile device.

2. Description of the Related Art

Many known mobile devices support objects, such as by using Java tosend, receive, or at least use data, voice, and/or multi-media(audio/video). These objects may be involved in sensitive infoinformation from cellular networks and with many different services.However, garbage collection operations presently performed on mobiledevices have security deficiencies.

A non-limiting example of the deficiencies includes collection ofunreachable objects. For example, FIG. 1 shows a typical state of a heapbetween garbage collections of unreferenced objects. A typical garbagecollector waits until memory becomes low before collecting unreachableobjects. Thus, an object may become unreachable well before it iscollected. This creates an unpredictable window of opportunity for anattack, especially if the memory recovery itself is not secure.

SUMMARY

In accordance with the teachings disclosed herein, a secure garbagecollection system is provided which includes a microprocessor, and anaddressable storage, having a heap and a secure garbage collectionsoftware module capable of calling a wipe function. When the securegarbage collection software module has detected that objects in the heapare unreachable, it securely reclaims the memory they were using bycalling the wipe function.

In another embodiment, the secure garbage collection may be triggered inmany different ways, including but not limited to the steps of: waitingfor a trigger, performing subsequent steps for all secure applications,requesting that a secure application unreference sensitive objects,perform secure garbage collecting, and determine if all secureapplications have been processed.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows the state of a typical heap between unreferenced objectsusing a known garbage collector;

FIG. 2 is a block diagram showing an exemplary secure garbage collectionsystem according to an embodiment of the invention;

FIG. 3 a is a block diagram illustrating in greater detail the physicalview of an example addressable storage of FIG. 2, featuring objects inRAM and Flash in an exemplary cryptographic message viewing application.

FIG. 3 b is a block diagram illustrating the logical view of FIG. 3 a;

FIG. 4 is a flow diagram showing an example method of triggering securegarbage collection on a mobile device according to an embodiment of theinvention;

FIG. 5 is a flow diagram showing an example method of secure garbagecollection whereby unreferenced objects are securely garbage collectedaccording to an embodiment of the invention;

FIG. 6 is a block diagram illustrating software components for use insecure garbage collection on a mobile device; and

FIG. 7 is a schematic-diagram of an exemplary wireless device'scomponents.

DETAILED DESCRIPTION

With reference now to the Figures, FIG. 2 is a block diagram showing anexemplary secure garbage collection system 300. The system 300 amongother things secures sensitive information, which may exist on its own,may arise from Personal Information Management (PIM), or may arise fromcommunications such as voice and/or video calls, short messaging service(SMS) communication, e-mail messaging, web page communication, andwireless access protocol (WAP) communication. The system 300 enablessecure decryption techniques and secure persistent storage techniques.Many different types of mobile devices may utilize system 300, such aspersonal digital assistants, mobile communication devices, cellularphones, and wireless two-way communication devices, as well as in anydevice that has sensitive information.

The exemplary secure garbage collection system 300 of FIG. 2 includes amicroprocessor 110, and an addressable storage 120 connected tomicroprocessor 110 by a data bus 130. The addressable storage 120 storesmicroprocessor software modules 140, heap 150 and reference table 160.

Microprocessor software 140 includes a native wipe function 170. Thenative wipe function 170 can obliterate the data in a portion ofaddressable storage 120. Suitable functions in the programming languageis the function ‘memset( )’, which could be used to write over data withall zeroes, all ones, or with random data to thwart sophisticated memoryrecovery techniques. Microprocessor software 140 also may includevirtual machine software 200, having a secure garbage collector softwaremodule 205 capable of using native wipe function 170, as well as beingable to access objects in heap 150 via reference table 160. Suchsoftware 140 may be used in many different implementation environments,such as object-oriented environments (e.g., Java).

Virtual machine software 200 is capable of interpreting virtual machineinstructions found in software modules 210. A specific virtual machinesoftware module (e.g., secure viewer application 220) is shown, and willbe used as an example application which uses secure garbage collectiontechniques.

Secure viewer application 220, when executed by virtual machine software200, results in viewer object 10V being allocated in heap 150,accessible via its corresponding @V 35V entry in reference table 160.Viewer object 10V could be, for instance, a user interface object whichdisplays sensitive information in a sensitive object, such as object10S. Viewer object 10V preferably dynamically generates sensitive object10S from secure object 70E by authentication in viewer application 220.

For instance, if secure object 70E is an S/MIME encrypted message, thensensitive object 10S is a clear unencrypted version of the S/MIMEmessage, dynamically generated by secure viewer application module 220,in this case an S/MIME e-mail viewer application, preferably byobtaining and applying a private key to encrypted S/MIME message object70E.

Heap 150 may be partitioned so that sensitive objects, such as object10S are distinguishable from secure objects, such as object 70E, asillustrated by regions 152 and 157 which respectively bound sensitiveand secure portions of heap 150. It should be understood that manydifferent partitioning configurations (or none at all) are possible withrespect to handling sensitive and secure objects in order to fit thesituation at hand.

Also shown is a portion of heap 150 which is unreachable, illustrated byregion 155. Region 155 contains objects 10V′, 10S′ and 70E′ which are nolonger referenced by other objects, and as such, are suitable forgarbage collection. Notice that object 10S′ is both unreachable andsensitive, object 70E′ is both unreachable and secure, whereas object10V′ is only unreachable.

Returning to the S/MIME viewer application 220 example, objects 10V′,10S′ and 70E′ are unreachable, for instance if the S/MIME viewerapplication stopped displaying viewer 10V′ in response to a deletemessage user interface command. Thus, if viewer 10V′ was the only objecthaving references to sensitive object 10S′ and 70E′, when the referenceto 10V′ is lost, all three objects are candidates for garbagecollection. Notice however that object 70E, although referenced byviewer 10V′, is still reachable and secure (e.g. encryptedS/MIME—perhaps because it was the previous message viewed by viewer 10V′and was not deleted by the user).

Secure garbage collector module 205, once it has detected that objects10V′, 10S′ and 70E′ are unreachable, securely reclaims the memory theywere using by calling native wipe function 170 to wipe, at least object10S′, as well as optionally objects 10V′ and 70E′. Optionally, allgarbage collections use the wipe native function 170 thereby treatingall objects as sensitive.

With reference to FIGS. 3 a and 3 b, FIG. 3 a is a block diagramillustrating in, greater detail the physical view of an exampleaddressable storage of FIG. 2, featuring a reference table, a viewerobject in RAM, a persistent encrypted object in Flash, and a transientsensitive object in RAM, in an exemplary cryptographic message viewingapplication.

FIG. 3 b is a block diagram illustrating the logical view of FIG. 3 a.Both are described next.

An object 10V that references object 10S and object 70E, are illustratedas they might appear somewhere in RAM 20 or Flash 80.

Also illustrated is a reference table 30, situated somewhere in RAM 20.The reference table 30 has several storage elements (35V, 35S, 35E) of afixed size “w” 37 to simplify the indexed access to storage elements.Each used storage element (35V, 35S, 35E) corresponds to an object (10V,10S, 70E) which are located in an addressable space, here consisting ofRAM 20 and Flash 80. For example object V 10V finds correspondence withstorage element index “v” 35V, object E 70E finds correspondence withstorage element index “e” 35E, whereas object S 10S finds correspondencewith storage element index “s” 35S. The addresses (40V, 40S, 90E) ofcorresponding objects (10V, 10S, 70E) are stored in storage elements(35V, 35S, 35E) so that knowing the index of an object in the referencetable 30 it is possible to obtain the address (40V, 40S, 90E) of anobject (10V, 10S, 70E) respectively. This is done by first obtaining theaddress @R 50 of the reference table 30. Then, given an object'sreference, such as “s” 55S for the example V object 10V, the address ofthe storage element @(R+v*w) 60V can be obtained by multiplying theindex 55V “v” by the size “w” 37 of each storage element.

Since the storage element 35V holds the address of the correspondingobject V 10V, resolving the contents of the storage element 35V providesthe address @V 40V of object V 10V in RAM 20. Similarly, the “s” storageelement 35S, when resolved provides the address @S 40S of object 10S inRAM 20, and the “e” storage element 35E points to an address @E 90E ofobject 70E in Flash 80. Also shown is how each object (10V, 10S, 70E)contains within its format its “this reference” (55V, 55S, 55E) relatedto the reference table 30. Also shown is how, object V 10V containswithin its format a reference “E” 65E to object E 70E, and a reference“S” 65S to object S 10S. This allows a runtime context within the scopeof object V 10V to be able to access objects E 70E and 10S in the sameway, regardless of the fact that object E 70E is situated at an address90E in Flash 80 and objects V 70A is in RAM 20.

Object 10V could be a Secure Multipurpose Internet Mail Extensions(S/MIME) viewer, in which case object 70E could be a persisted (S/MIME)encrypted message, and object 10S could be the sensitive decryptedversion of encrypted message 70E. Viewer object 10V could have generatedsensitive object 10S from encrypted object 70E at the request of andafter authenticating the user of viewer 10V—that is, the intendedrecipient of the S/MIME message.

With reference to FIG. 4, FIG. 4 depicts a flow diagram showing anexample method of triggering secure garbage collection on a mobiledevice. Step 410 includes waiting for a trigger. Any parametersassociated with a trigger could be loaded from storage 120 viaconfiguration 402. A trigger can result from many different events, suchas but not limited:

-   -   405I is a timeout event, which may occur when the mobile device        is left idle;    -   405H is a holstered or cradled event, which may occur when the        user, or an attacker, either places or removes the device from        its holster (if so equipped) or cradle (if so equipped).    -   405L is a screen lock or user lock event, which may occur due to        any number of reasons, such as when a user enters a password at        a lock screen, or when a user expressly locks the device or        screen;    -   405A is an application event, such as when a viewer has stopped        displaying a sensitive object. In the case of S/MIME, messages        are preferably kept secure (encrypted) and are decrypted only if        viewed. However, a configuration parameter could be used to age        the decrypted message before causing a secure garbage collection        trigger to give the user the opportunity to view a message,        close it, and re-open it within a narrow time out period.    -   405R is a roll back trigger, which can occur whenever the system        clock (if so equipped) or a time zone has been altered. A        configuration parameter could be used to specify the specific        cases.    -   405E is a transceiver event, which can occur if the mobile        device communicates (if so equipped), for instance over a        wireless network. For example, when communicating using S/MIME,        or while browsing using SSL or TLS, caches may be securely        garbage collected.

Step 420 includes performing subsequent steps for all secureapplications. Secure applications may be selected by configuration, ormay include all applications.

Step 430 includes requesting that a secure application unreferencesensitive objects. Thus, this step helps ensure that the window ofopportunity of an attacker is greatly limited in secure applicationsregardless of the trigger.

Step 440 includes securely garbage collecting. This step at leastincludes calling the native wipe function call, but may also includeother actions, such as, but not limited to, cleaning out the systemclipboard (if so equipped and configured). An exemplary method to carryout this step is discussed below with reference to FIG. 5.

Step 450 includes determining if all secure applications have beenprocessed. If all secure applications are clean (e.g., applications haveno references to sensitive objects), then steps 430 and 440 are repeatedfor the remaining secure applications. Alternatively, if all secureapplications are clean, then step 410 ensues and the method begins anew.

It is noted that the method of FIG. 4 may be implemented as a “Daemon”application for the virtual machine.

With reference to FIG. 5, FIG. 5 is a flow diagram showing an exemplarymethod of secure garbage collection whereby unreferenced objects aresecurely garbage collected.

The method 500 of FIG. 5 may be used to carry out step 440 of FIG. 4.Step 510 includes collecting unreferenced objects. This step may receivean indication, for instance via configuration information 502, such aswhich trigger caused the garbage collection in the method 400 of FIG. 4.For example, if an S/MIME viewer application was the trigger, thenunreferenced sensitive objects would preferably be collected from theheap starting near the cause of the trigger.

Step 520 includes performing subsequent steps for all unreferencedobjects in the heap. Step 530 includes determining if the unreferencedobject is sensitive. As was described in reference to FIG. 2, in apreferred embodiment, all unreferenced objects are treated as sensitive.This may also be specified in the configuration information 502. If theunreferenced object is determined to be sensitive, then step 540 ensues,followed by step 550; if not, then step 550 ensues.

Step 540 includes calling the native wipe function to obliterate thesensitive information in the unreferenced sensitive object. As wasdescribed in reference to FIG. 2, the native wipe function could be a C“memset( )” of object data to zeroes, ones, or random data. Which optionto use could be specified in configuration 502. It is also envisagedthat a non-native wipe function could be used.

Step 550 includes reclaiming object memory. This step could beaccomplished by a traditional garbage collector. By replacing all callsto the traditional garbage collector with calls to a secure garbagecollector, secure garbage collection can be enabled in many existingmethods and systems.

Step 560 includes determining if all unreferenced objects have beenreclaimed. If this is determined, then the method ends. If not, thenstep 530 ensues to continue secure garbage collection.

FIG. 6 illustrates at 600 a mobile device having a secure garbagecollection system. The mobile device 600 receives information (e.g.,secure message 602) over a wireless network 604. A software program 606operating on the mobile device 600 processes the secure message 602 suchthat a secure object is created and is stored within addressable storagememory 608 to handle the secure message 602. In this example, sensitiveinformation is extracted from the secure message 606, and a sensitiveobject is created and stored within addressable storage memory 608 inorder to handle the sensitive information.

When objects (610, 612, 614) in the addressable storage memory 608 aredetected as unreachable, a secure garbage collector module 616 securelyreclaims the memory 608 the objects (610, 612, 614) were using bycalling a wipe function 618. Optionally, all garbage collections use thewipe function 618 thereby treating all objects (610, 612, 614) assensitive. However, it should be understood that the garbage collectionmodule 616 may vary the type of objects the wipe function 618 may beused for. For example, the garbage collection module 616 may beconfigured to only use the wipe function 618 upon unreachable sensitiveobjects 610, or only upon unreachable secure objects 612, orcombinations thereof. Moreover, the garbage collection module 616 may beconfigured to use the wipe function 618 upon unreachable objects of oneor more software programs. Such approaches initiate secure garbagecollection in order to prevent unauthorized access to sensitiveinformation. Thus, secure garbage collection is initiated when an object(such as a sensitive object) becomes unreachable rather than only whenmemory becomes scarce.

Many different types of mobile devices may utilize the systems andmethods disclosed herein, such as a wireless device shown in FIG. 7.With reference to FIG. 7, wireless device 900 is preferably a two-waycommunication device having at least voice and data communicationcapabilities. The device 900 preferably has the capability tocommunicate with other computer systems on the Internet. Depending onthe functionality provided by the device, the device 900 may be referredto as a data messaging device, a two-way pager, a cellular telephonewith data messaging capabilities, a wireless Internet appliance or adata communication device (with or without telephony capabilities).

Where the device 900 is enabled for two-way communications, the device900 may incorporate a communication subsystem 911, including a receiver912, a transmitter 914, and associated components such as one or more,preferably embedded or internal, antenna elements 916 and 918, localoscillators (LOs) 913, and a processing module such as a digital signalprocessor (DSP) 920. As will be apparent to those skilled in the fieldof communications, the particular design of the communication subsystem911 will be dependent upon the communication network in which the deviceis intended to operate. For example, a device 900 destined for a NorthAmerican market may include a communication subsystem 911 designed tooperate within the Mobitex mobile communication system or DataTAC mobilecommunication system, whereas a device 900 intended for use in Europemay incorporate a General Packet Radio Service (GPRS) communicationsubsystem 911.

In general, the device 900 may acquire or generate secure and sensitiveinformation through its interaction with cellular networks and theservices the networks provide. Examples of cellular networks andservices they provide include Code Division Multiple Access (CDMA) andGlobal Service Mobile (GSM) networks which provide for the most partvoice and some data services. Voice services are typically compatiblewith plain old telephony service (POTS). Short Messaging Service (SMS)and Wireless Application Protocol (WAP) are available on some cellularnetworks. Data networks, such as MobiTex™, Datatac™, as well as advancednetworks such as General Packet Radio Service (GPRS), and UniversalMobile Telecommunications System (UMTS), may allow an appropriatelyconfigured wireless mobile device to offer data services such as e-mail,web browsing, SMS, WAP, as well as PIM. Future networks may also offervideo services. Thus, sources of sensitive information abound.

Network access requirements will also vary depending upon the type ofnetwork 919. For example, in the Mobitex and DataTAC networks, mobiledevices such as 900 are registered on the network using a uniquepersonal identification number or PIN associated with each device. InGPRS networks however, network access is associated with a subscriber oruser of a device 900. A GPRS device therefore requires a subscriberidentity module (not shown), commonly referred to as a SIM card, inorder to operate on a GPRS network. Without a SIM card, a GPRS devicewill not be fully functional. Local or non-network communicationfunctions (if any) may be operable, but the device 900 will be unable tocarry out any functions involving communications over network 919. Whenrequired network registration or activation procedures have beencompleted, a device 900 may send and receive communication signals overthe network 919. Signals received by the antenna 916 through acommunication network 919 are input to the receiver 912, which mayperform such common receiver functions as signal amplification,frequency down conversion, filtering, channel selection and the like,and in the example system shown in FIG. 7, analog to digital conversion.Analog to digital conversion of a received signal allows more complexcommunication functions such as demodulation and decoding to beperformed in the DSP 920. In a similar manner, signals to be transmittedare processed, including modulation and encoding for example, by the DSP920 and input to the transmitter 914 for digital to analog conversion,frequency up conversion, filtering, amplification and transmission overthe communication network 919 via the antenna 918.

The DSP 920 not only processes communication signals, but also providesfor receiver and transmitter control. For example, the gains applied tocommunication signals in the receiver 912 and transmitter 914 may beadaptively controlled through automatic gain control algorithmsimplemented in the DSP 920.

The device 900 preferably includes a microprocessor 938, which controlsthe overall operation of the device. Communication functions, includingat least data and voice communications, are performed through thecommunication subsystem 911. The microprocessor 938 also interacts withfurther device subsystems such as the display 922, flash memory 924,random access memory (RAM) 926, auxiliary input/output (I/O) subsystems928, serial port 930, keyboard 932, speaker 934, microphone 936, ashort-range communications subsystem 940 and any other device subsystemsgenerally designated as 942.

Some of the subsystems shown in FIG. 7 perform communication-relatedfunctions, whereas other subsystems may provide “resident” or on-devicefunctions. Notably, some subsystems, such as keyboard 932 and display922 for example, may be used for both communication-related functions,such as entering a text message for transmission over a communicationnetwork, and device-resident functions such as a calculator or tasklist.

Operating system software used by the microprocessor 938, which could beelement 110 of FIG. 2 is preferably stored in a persistent store such asflash memory 924, which could be element 80 of FIG. 3 a and may insteadbe a read only memory (ROM) or similar storage element or could be aportion of addressable storage 120 of FIGS. 2, 3 a and 3 b. Thoseskilled in the art will appreciate that the operating system, specificdevice applications, or parts thereof, may be temporarily loaded into avolatile store such as RAM 926, which could be element 20 of FIG. 2. Itis contemplated that received communication signals may also be storedto RAM 926. Flash memory 924 preferably includes data communicationmodule 924B, and when device 900 is enabled for voice communication,voice communication module 924A. For the purposes of this invention, arealso included in flash memory 924 other software modules 924N, whichcould be microprocessor software 140 of FIG. 2.

The microprocessor 938, in addition to its operating system functions,preferably enables execution of software applications on the device. Apredetermined set of applications which control basic device operations,including at least data and voice communication applications forexample, will normally be installed on the device 900 duringmanufacture. A preferred application that may be loaded onto the devicemay be a personal information manager (PIM) application having theability to organize and manage data items relating to the device usersuch as, but not limited to e-mail, calendar events, voice mails,appointments, and task items. Naturally, one or more memory stores maybe available on the device to facilitate storage of PIM data items onthe device. Such PIM application would preferably have the ability tosend and receive data items, via the wireless network. In a preferredembodiment, the PIM data items are seamlessly integrated, synchronizedand updated, via the wireless network, with the device user'scorresponding data items stored or associated with a host computersystem. Further applications may also be loaded onto the device 900through the network 919, an auxiliary I/O subsystem 928, serial port930, short-range communications subsystem 940 or any other suitablesubsystem 942, and installed by a user in the RAM 926 or preferably anon-volatile store (not shown) for execution by the microprocessor 938.Such flexibility in application installation increases the functionalityof the device and may provide enhanced on-device functions,communication-related functions, or both. For example, securecommunication applications may enable electronic commerce functions andother such financial transactions to be performed using the device 900.

In a data communication mode, a received signal such as a text messageor web page download will be processed by the communication subsystem911 and input to the microprocessor 938, which will preferably furtherprocess the received signal for output to the display 922, oralternatively to an auxiliary I/O device 928. A user of device 900 mayalso compose data items such as e-mail messages for example, using thekeyboard 932, which is preferably a complete alphanumeric keyboard ortelephone-type keypad, in conjunction with the display 922 and possiblyan auxiliary I/O device 928. Such composed items may then be transmittedover a communication network through the communication subsystem 911

For voice communications, overall operation of the device 900 issubstantially similar, except that received signals would preferably beoutput to a speaker 934 and signals for transmission would be generatedby a microphone 936. Alternative voice or audio 1/O subsystems such as avoice message recording subsystem may also be implemented on the device900. Although voice or audio signal output is preferably accomplishedprimarily through the speaker 934, the display 922 may also be used toprovide an indication of the identity of a calling party, the durationof a voice call, or other voice call related information for example.

The serial port 930, would normally be implemented in a personal digitalassistant (PDA)-type communication device for which synchronization witha user's desktop computer (not shown) may be desirable, but is anoptional device component. Such a port 930 would enable a user to setpreferences through an external device or software application and wouldextend the capabilities of the device by providing for information orsoftware downloads to the device 900 other than through a wirelesscommunication network. The alternate download path may for example beused to load an encryption key onto the device through a direct and thusreliable and trusted connection to thereby enable secure devicecommunication.

A short-range communications subsystem 940 is a further optionalcomponent which may provide for communication between the device 900 anddifferent systems or devices, which need not necessarily be similardevices. For example, the subsystem 940 may include an infrared deviceand associated circuits and components or a Bluetooth™ communicationmodule to provide for communication with similarly-enabled systems anddevices.

Having described in detail the preferred embodiments of the presentinvention, including the preferred methods of operation, it is to beunderstood that this operation could be carried out with differentelements and steps. This preferred embodiment is presented only by wayof example and is not meant to limit the scope of the present invention.This written description may enable those skilled in the art to make anduse embodiments having alternative elements that likewise correspond tothe elements of the invention. The intended scope of the invention thusincludes other structures, systems or methods that do not differ fromthe literal language of the description, and further includes otherstructures, systems or methods with insubstantial differences from theliteral language of the description.

1. A method for performing secure garbage collection involving sensitiveinformation on a mobile device, comprising the steps of: receiving at amobile device secure information over a wireless network; extractingsensitive information from the secure information; storing the sensitiveinformation in memory of the mobile device; wherein a softwareapplication operating on the mobile device uses an object to access thestored sensitive information; waiting for a garbage collection trigger,wherein the garbage collection trigger is an indication that a securegarbage collection operation is to be initiated; determining that thegarbage collection trigger has occurred; if the garbage collectiontrigger has occurred, requesting that the software applicationunreference objects, wherein the object becomes unreachable due to thesoftware application having unreferenced the object; determining thatthe object has become unreachable; based upon the determination that theobject has become unreachable, obliterating the unreachable object fromthe memory; and reclaiming the memory that the object was using.
 2. Themethod of claim 1, wherein the mobile device is a personal digitalassistant.
 3. The method of claim 1, wherein the mobile device is amobile communication device.
 4. The method of claim 1, wherein themobile device is a cellular telephone with data messaging capabilities.5. The method of claim 1, wherein the mobile device is a wirelesstwo-way communication device.
 6. The method of claim 1, wherein themobile device is a data messaging device.
 7. The method of claim 1,wherein the mobile device is a two-way pager.
 8. The method of claim 1,wherein the mobile device is a wireless Internet appliance.
 9. Themethod of claim 1, wherein the wireless network includes means forproviding the wireless network.
 10. The method of claim 1, wherein thesecure information is an S/MIME encrypted message.
 11. The method ofclaim 10, wherein the sensitive information is an unencrypted version ofthe S/MIME message.
 12. The method of claim 11, wherein the securemessage was unencrypted by obtaining and applying a private key to theencrypted S/MIME message.
 13. The method of claim 1, wherein thesensitive information arises from use of a Personal InformationManagement (PIM) application.